python-ldap: what encoding should I use to check password against Microsoft AD?

Question

I have a django application for which i wrote an ActiveDirectoryAuthBackend , based on this snippet (it uses python-ldap).

It works fine most of the time.

Now it happens that some users have non-ASCII characters in their domain passwords, which leads to authentication failure, because of an encoding coercion going bad in the simple_bind_s(username, password) function.

Actually, the password value that django passes is a unicode. So I guess I would need to encode this unicode before passing it to simple_bind_s , thus avoiding a failing default encoding translation.

But I have no clue as for what encoding to use. The password server is a Microsoft Active Directory.

Any idea?

Cheers.

O.

Answer 1

After some tests and reading users' CN containing non ASCII characters, I've found that the most probable encoding for my domain is "latin-1".

A good way to check credentials would look like:

class ActiveDirectoryAuthBackend(backends.ModelBackend):
    def authenticate(self, username=None, password=''):
        try:
            from django.contrib.auth.model import User
            user = User.objects.get(username=username):
        except User.DoesNotExist:
            return None

        from django.conf import settings
        import ldap
        con = ldap.initialize('ldap://{0}'.format(settings.get('LDAP_SERVER', None)))
        con.set_option(ldap.OPT_REFERRALS, 0)

        try:
            con.simple_bind_s(username, password.encode('latin1'))
            return user
        exceot ldap.INVALID_CREDENTIALS:
            return None